INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

BCM50 Hacked, trying to plug the hole

BCM50 Hacked, trying to plug the hole

(OP)
Hi,

A BCM50 system that I look after was hacked overnight and a large bill racked up on international premium rate numbers before the provider was able to put a block in place.

After doing some research I believe the method used was to make an external call from within callpilot once the auto attendant had picked up the call.

I've since removed the ability to make external calls from all COS. I've also put mailbox restrictions in place on all mailboxes and had users change their PINs, as well as PINs for the System Manager and General Pickup mailboxes. I suspect that the System Manager or General Pickup mailbox PIN had been reset by the client and not set to something secure.

My questions are, is there anything else I should do to ensure this cannot be repeated and how is it possible to create an external call from within the voicemail system? Is it a case of dialing specific codes once the auto-attendant has picked up the call? I would like to attempt it myself to ensure all external calls are blocked.

Many thanks for any info.

Tubdub

RE: BCM50 Hacked, trying to plug the hole

(OP)
Here is a extract from the callpilot event log, as you can see there is a failed attempt to log in as the System Manager (102) then a bunch of external calls are initiated. My main concern is it seems that they were unable to guess the PIN for the mailbox, and there is no log of another mailbox being accessed, yet the external calls were still possible.

2017-05-14T23:56:58.094 [INFO ] {STLog} (0) - MyPhone: Bad Password: 102 by 188.161.244.180 rc=1(0x1)
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Daily statistics ..
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - One call FOD 0 Two Call FOD 0 FOV 0 FAX Print 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Incoming AMIS 0 Outgoing AMIS 0 VPorts Busy 0 FPorts Busy 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - F980 Sess 0 F981 Sess 0 F982 Sess 0 F983 Sess 0 F985 Sess 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - F986 Sess 0 F987 Sess 0 F988 Sess 0 F989 Sess 0 F930 Sess 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Call Ans 0 AA/CCR 0 OPN 0 PAGE 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Ext Trans 0 Ctx Trans 0 Broadcast Msgs 0 Group List Msgs 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - SMTP Receive 0 SMTP Send 0 NVM Manager 0 Call Screening 0
2017-05-15T00:01:16.461 [INFO ] {STLog} (0) - Dsktp Logins 0 Dsktp Open Msgs 0 Text Bodies 0
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - Shell 5: AsLogic, unexpected event rc=75(0x4b)
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - Internal call from DN .
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - Dump: Shell 5
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - 2017/05/15 00:16:12 TVSStart Called DN Answered
2017-05-15T02:00:41.867 [INFO ] {STLog} (0) - 2017/05/15 00:16:12 TVSMain init event
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 00:17:10 TVSMain call disconnect
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 00:17:10 TVSShellDone init event
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 00:17:10 Idle State init event
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 02:00:25 Idle State TVS start
2017-05-15T02:00:41.868 [INFO ] {STLog} (0) - 2017/05/15 02:00:25 TVSStart init event
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:25 AsOriginate init event
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:25 OriginateExtCal init event
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 OriginateExtCal 1st timeout
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 CompleteExtCall init event
2017-05-15T02:00:41.869 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 CompleteExtCall 1st timeout
2017-05-15T02:00:41.878 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 TVSStart Called DN Answered
2017-05-15T02:00:41.878 [INFO ] {STLog} (0) - 2017/05/15 02:00:27 TVSMain init event
2017-05-15T02:00:41.878 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 TVSMain call disconnect
2017-05-15T02:00:41.878 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 TVSShellDone init event
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 Idle State init event
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 Idle State TVS start
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 TVSStart init event
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 AsOriginate init event
2017-05-15T02:00:41.879 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 OriginateExtCal init event
2017-05-15T02:00:41.880 [INFO ] {STLog} (0) - 2017/05/15 02:00:40 OriginateExtCal call answered
2017-05-15T02:00:41.880 [INFO ] {STLog} (0) - 2017/05/15 02:00:41 OriginateExtCal TVS hangup
2017-05-15T02:00:41.881 [INFO ] {STLog} (0) - 2017/05/15 02:00:41 AsLogic TVS hangup
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - Shell 5: AsLogic, unexpected event rc=75(0x4b)
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - Internal call from DN .
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - Dump: Shell 5
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 TVSShellDone init event
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - 2017/05/15 02:00:30 Idle State init event
2017-05-15T02:00:50.248 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 Idle State TVS start
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 TVSStart init event
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 AsOriginate init event
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:39 OriginateExtCal init event
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:40 OriginateExtCal call answered
2017-05-15T02:00:50.249 [INFO ] {STLog} (0) - 2017/05/15 02:00:41 OriginateExtCal TVS hangup
2017-05-15T02:00:50.250 [INFO ] {STLog} (0) - 2017/05/15 02:00:41 AsLogic TVS hangup
2017-05-15T02:00:50.250 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 OriginateExtCal 1st timeout
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 CompleteExtCall init event
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 CompleteExtCall 1st timeout
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 TVSStart Called DN Answered
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:43 TVSMain init event
2017-05-15T02:00:50.251 [INFO ] {STLog} (0) - 2017/05/15 02:00:45 TVSMain TVS hangup
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:45 TVSShellDone init event
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:46 Idle State init event
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 Idle State TVS start
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 TVSStart init event
2017-05-15T02:00:50.252 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 AsOriginate init event
2017-05-15T02:00:50.253 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 OriginateExtCal init event
2017-05-15T02:00:50.253 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 OriginateExtCal call answered
2017-05-15T02:00:50.253 [INFO ] {STLog} (0) - 2017/05/15 02:00:50 OriginateExtCal TVS hangup
2017-05-15T02:00:50.253 [INFO ] {STLog} (0) - 2017/05/15 02:00:50 AsLogic TVS hangup
2017-05-15T02:00:57.884 [INFO ] {STLog} (0) - Shell 5: AsLogic, unexpected event rc=75(0x4b)
2017-05-15T02:00:57.884 [INFO ] {STLog} (0) - Internal call from DN .
2017-05-15T02:00:57.884 [INFO ] {STLog} (0) - Dump: Shell 5
2017-05-15T02:00:57.884 [INFO ] {STLog} (0) - 2017/05/15 02:00:45 TVSShellDone init event
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:46 Idle State init event
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 Idle State TVS start
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 TVSStart init event
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 AsOriginate init event
2017-05-15T02:00:57.885 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 OriginateExtCal init event
2017-05-15T02:00:57.886 [INFO ] {STLog} (0) - 2017/05/15 02:00:48 OriginateExtCal call answered
2017-05-15T02:00:57.886 [INFO ] {STLog} (0) - 2017/05/15 02:00:50 OriginateExtCal TVS hangup
2017-05-15T02:00:57.886 [INFO ] {STLog} (0) - 2017/05/15 02:00:50 AsLogic TVS hangup
2017-05-15T02:00:57.886 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 OriginateExtCal 1st timeout
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 CompleteExtCall init event
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 CompleteExtCall 1st timeout
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 TVSStart Called DN Answered
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:52 TVSMain init event
2017-05-15T02:00:57.887 [INFO ] {STLog} (0) - 2017/05/15 02:00:53 TVSMain TVS hangup
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:53 TVSShellDone init event
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:53 Idle State init event
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 Idle State TVS start
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 TVSStart init event
2017-05-15T02:00:57.888 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 AsOriginate init event
2017-05-15T02:00:57.889 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 OriginateExtCal init event
2017-05-15T02:00:57.889 [INFO ] {STLog} (0) - 2017/05/15 02:00:56 OriginateExtCal call answered
2017-05-15T02:00:57.889 [INFO ] {STLog} (0) - 2017/05/15 02:00:57 OriginateExtCal TVS hangup
2017-05-15T02:00:57.889 [INFO ] {STLog} (0) - 2017/05/15 02:00:57 AsLogic TVS hangup

RE: BCM50 Hacked, trying to plug the hole

I knew of a BCM that was hacked via Call Pilot Manager and port 443 was forwarded onto the BCM system. The hackers used Call Pilot Manager to get in via the browser tool and able to create a dial out path.

I'd remove all ports onto the BCM from the router except for essential ones such as 7000 for IP phones. Check that the BCM isn't in any router's DMZ.

Go through all mailbox activity and I think you will find where the breach is.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.com
linkedin

RE: BCM50 Hacked, trying to plug the hole

I agree a mailbox most likely penterated, could be trivial password like 1234 and they have outbound transfer allowed.

Look at Mailbox Activity log and look for the dialed sting that called out....the one the carrier stated they used.
Ctl-F to find it.

Also see our FAQ's
http://www.tek-tips.com/faqs.cfm?fid=7861


________________________________________

Add me to LinkedIN

**New Allworx Forum**


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: BCM50 Hacked, trying to plug the hole

(OP)
Hi, thanks for the responses.

With regard to the Mailbox Activity log, do you mean the one that is available from the CallPilot admin login, under Reports? All this shows is the number of mailbox accesses and the amount of messages left.

Is there another log somewhere with more info?

Thanks

RE: BCM50 Hacked, trying to plug the hole

Mailbox Information

Here is an edited sample from mine:

201 SUB *Service,TelcoPC 255 15 0 0 0 0 0 0 R All
PAGE BOTH - PAGE ZONE 1 - PAGE RETRIES: 1 - PAGE INTERVAL: 15
XFERS Screened
OPN/RNPHONE 944169535XXXX
OPN/RNSTATUS Inactive START 12:01 am STOP 11:59 pm
MSGFWD Active me@myemail.XXX
ATTACHMENT WAV
ORIGINAL MSG Do Nothing
TRANSF 944169535XXXX

The outbound dialing string is usualy at the bottom of info of the mailbox.
94 is my Dest code in this example.

This helps find the culprit mailbox and person with the weak password.

________________________________________

Add me to LinkedIN

**New Allworx Forum**


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: BCM50 Hacked, trying to plug the hole

Each Mailbox will have a usage indicator and you can find how many times it's been accessed etc.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.com
linkedin

RE: BCM50 Hacked, trying to plug the hole

Sorry to say, but that hack was your fault.

You should have had a remote restriction in place that disallowed long distance calls when someone dialed in to the system.

RE: BCM50 Hacked, trying to plug the hole

Wow that was rude or harsh or both?
How do you know that tubdub programmed the system?
How do you even know their lines were set to Auto Answer or that the hacker used that method?

________________________________________

Add me to LinkedIN

**New Allworx Forum**


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: BCM50 Hacked, trying to plug the hole

If he's the PBX admin, ultimately he's responsible.

A remote restriction would stop anyone who called in from dialing out a toll call. Let them dial out local when they are remoting in but block 0-, 011+, 411, 611, 911, 1+NPA, except 1-888 1-877 1-866 1-855 1-844. Centrex Link Transfers should be blocked if incoming calls can come on in those (nobody uses analog Centrex anymore though).

They did it through Call Pilot. Outdial route in CP is none by default so it must have been enabled.

RE: BCM50 Hacked, trying to plug the hole

"f he's the PBX admin, ultimately he's responsible."
Perhaps but based on what happend and training provided etc but regardless thats not for you or anyone else to say or scold.

"A remote restriction would stop anyone who called in from dialing out a toll call"
Yes but only on an Auto Answer Line (Disa), not for sets/callpilot.

"Outdial route in CP is none by default so it must have been enabled."
Of course, thats how you use External Transfer from Mailboxes.

Note that you would need to rectrict the ports that Callpilot uses by using Set Restrictions or Line Restrictions but only if Long Distance is not required by any of the users.

"Centrex Link Transfers should be blocked if incoming calls can come on in those (nobody uses analog Centrex anymore though)."
Centrex is not the only package using Link.

________________________________________

Add me to LinkedIN

**New Allworx Forum**


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: BCM50 Hacked, trying to plug the hole

(OP)
As I am the current admin I suppose the blame is mine, but in my defence I wasn't the original admin/installer and am no expert. I have only made minor config changes as and when needed.

Several of the COS had external transfer from call pilot enabled. This must have been done by the previous admin, no idea why and I have now disabled it.

Once again, thanks for the responses.

RE: BCM50 Hacked, trying to plug the hole

Tubdub: The first line of your log is the culprit:

MyPhone: Bad Password: 102 by 188.161.244.180 rc=1(0x1)

This shows a public ip address accessing your system. Ooohhh... nasty.
There is a known, and quite simple hack to gain access to poorly initialised
mailboxes on the BCM50. They use the web based user-login page, and just throw
a script at it; This method does *NOT* key-up the failed-attempts counter, sadly.

Never ever open port 443 (or 80 for that matter) to the public internet on any
BCM50; I've had the exact same whallop a Rel 3 system, and to the tune of £1500 odd
before the carrier clobbered the ISDN lines as a courtessy.

From where you manage externally, obtain a static IP address, and in the customer
premises, set up a firewall rule on their router that *only* allows your ip address
in, or others you trust, and denies everything else. My laziness caused a lot of
grief, and the hackers knew exactly what to do, once they found a system that
answered back as a BCM...

In the apache logs on the bcm, the line starts like:

GET /Voicemail-cgi-bin/MyPhone.exe?SecCon=m_rmi(and a load of mmmmmm's and a long url)

http://srpl.com/norstar/

RE: BCM50 Hacked, trying to plug the hole

(OP)
Thanks for that info, I have indeed since closed port 443, although I never made use of this myself, it was all set up prior to me taking over. Since the system had not had any problems in the past I left everything as it was..... won't make that mistake again.

Out of interest, if the COS had not had external transfer from CallPilot enabled, would that have prevented the outgoing calls? Or does this hack circumvent that setting as well?

RE: BCM50 Hacked, trying to plug the hole

"hey use the web based user-login page, and just throw
a script at it; This method does *NOT* key-up the failed-attempts counter"

This means the Mailbox Manager will not lock you out after X amount of password tries like the telephone does.
So the script will keep trying passwords until it's in.

Callpilot Manager page however is where COS is controlled, unless they figured out your user name and your password then they cannot change the COS.

So otherwise yes if the mailbox was in a COS that did not allow External Transfer then it would have not worked.

Best to also deny all other COS's 1 through 15 if nobody requires External Transfer.






________________________________________

Add me to LinkedIN

**New Allworx Forum**


=----(((((((((()----=
www.curlycord.com
Toronto, CAN

RE: BCM50 Hacked, trying to plug the hole

Also go through all your application DN's and remove any reference to line pools which id usually "A". Why Nortel had them in there must have been historical before IP came along when the DID template was used.

Firebird Scrambler

Nortel & Avaya Meridian 1 / Succession & BCM / Norstar Programmer

Website = http://somertel.com
linkedin

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close